If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Scientists crack security system of millions of cars

It's the worst nightmare of the remote-control age - German scientists claim to have cracked the code of the electronic blipper that locks and unlocks cars and garage doors.

The team from Ruhr University says it is now relatively straightforward to clone the remote control devices that act as the electronic keys.

The scientists say they have overcome the KeeLoq security system, which is made by US-based Microchip Technology and is used by Honda, Toyota, Volvo, Volkswagen and other manufacturers to transmit access codes using radio frequency identification technology.

The revelation caused consternation among the car makers. Volvo said it took security extremely seriously, but preferred not to comment further until its technical teams were able to look at the scientists' claims to establish whether they could be substantiated. At Volkswagen, a spokeswomen would make no comment. Honda also said it would pass the information to its engineering teams, echoing the view: "We obviously take security very seriously."

If the claims are correct, it could pose a major headache for the car companies, whose keyless entry systems are becoming increasingly more common in their high-end marques.

The research team from Ruhr's Electrical Engineering and Information Sciences Department said the crack applies to all known car and building access control systems that rely on the KeeLoq cipher. It targeted and ultimately cracked its RFID as part of its research in embedded security. "The security hole allows illegitimate parties to access buildings and cars after remote eavesdropping from a distance of up to 100 meters," says professor Christof Paar, head of the communication security group at the department.

Timo Kasper, a PhD student who worked on the research, blamed KeeLoq for keeping the cipher secret. He said: "If they had made it public they would have found out 20 years ago that it's insecure. Now it's a little bit too late, because it's already built into all the garages and cars."

Because most access devices are publicly available, it's not too hard for attackers to get their hands on one to perform the analysis. The hack requires about £1500 worth of equipment and a fair amount of technical skill, but once the unique master key for a particular model is available, it works universally, Kasper said.

Paar's team used various code-breaking technologies to develop several attack variables. The researchers said that the most devastating was the so-called side-channel attack on car keys (or building keys), which can be cloned from a distance of several 100 meters.

Based on the research, an attacker can reveal the secret key for the remote control in under an hour, and the manufacturer key of the corresponding receivers in less than a day.

"Eavesdropping on as little as two messages enables illegitimate parties to duplicate your key and to open your garage or unlock your car," says Paar. "With another malicious attack, a garage door or a car door can be remotely manipulated so that legitimate keys do not work any more. Thus, after the security of the building or car has been breached, the attacker can prevent you from future access."

The scientists said the KeeLoq's security relies on poor key management, in which every key is derived from a master that's stored in the reading device. Moreover, it uses a proprietary algorithm that had already been shown to generate cryptographically-weak output.

That algorithm was kept secret for most of the last 20 years but 18 months ago an entry on Wikipedia published it. The research team almost immediately spotted weaknesses.

Microchip officials have been quiet on the revelations, relying instead on a prepared statement which said: "The paper requires detailed knowledge of the system implementation and a combination of data, specialised skills, equipment and access to various components of a system, which is seldom feasible.

"These theoretical attacks are not unique to the Keeloq system and could be applied to virtually any security system."

The article on the Register said that someone posted the algorithm for the code on Wikipedia and they happened to read it there. So did they really 'crack' it?

If I recall, the person that posted the algorithm had inside information to the technology, so they didn't even crack it. This isn't a case of poor security, its more of a case of industrial espionage.

After all, these things have been in place for over 20 years an no one had 'cracked' it until the algorithm was released.

So for those 'full disclosure' people, exactly how has this release made us all safer? Now any jagoff can open my garage doors, or my car, it will cost the manufacturer millions if they can do anything about it.

Gee, I really don't feel that safe from this particular case of 'full disclosure'.

A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

The article on the Register said that someone posted the algorithm for the code on Wikipedia and they happened to read it there. So did they really 'crack' it?

If I recall, the person that posted the algorithm had inside information to the technology, so they didn't even crack it. This isn't a case of poor security, its more of a case of industrial espionage.

After all, these things have been in place for over 20 years an no one had 'cracked' it until the algorithm was released.

So for those 'full disclosure' people, exactly how has this release made us all safer? Now any jagoff can open my garage doors, or my car, it will cost the manufacturer millions if they can do anything about it.

Gee, I really don't feel that safe from this particular case of 'full disclosure'.

Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

I wrote the program for the Basic Stamp 2, but got stalled on the mechanical side. There didn't seem to be a good arrangement that would cover multiple models/years. It could be built easily enough to cover just one model as a proof-of-concept though.

I wrote the program for the Basic Stamp 2, but got stalled on the mechanical side. There didn't seem to be a good arrangement that would cover multiple models/years. It could be built easily enough to cover just one model as a proof-of-concept though.

I found some lighter weight solenoids than I had shown you when we talked about this last.

A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

Is this some concept to break the code on the keypads for cars? My friend had a riviera that had one and I knew his code was really quite easy and theres no failed attempts lockout.

Specifically because there is no failed attempts lockout, you can simply configure a string of numbers that covers every possible combination. Since these buttons are 1/2, 3/4, 5/6, 7/8, 9/0, you can basically ignore the even numbers and concentrate on the odd.

You'll see in the following link there are only 3,129 button presses to brute force every possible 5 digit combination. This would take about 20 minutes manually. There previous few posts regarded a discussion we had a while back about creating an automated "button presser" to quickly go through the 3,129 keys.